Privacy after 9-11

Privacy

follow the directions & chew slowly:)
Netiva Caftori, Northeastern Illinois University

The Control of Privacy after Nine-Eleven 

Since September 11, 2001, many feel that civil liberties, and in particular 
the freedom to control privacy, have been compromised in the name of 
security. As security increases, the ability to control privacy appears to 
decrease. What is needed is the ability to maintain a balance between the 
desire for privacy in our lives and the desire for security, or in general 
the desire for any service or convenience we have been used to. For example, 
our e-mails are mostly un-encrypted and convenient, but consequently not 
private. Encrypting them -- as with sending letters in envelopes rather than 
as postcards -- is less convenient but more secure and private. 
What we really want is control over levels of privacy. One can feel secure 
but not have privacy, but one can also have privacy and feel insecure. In 
this paper, the issue of on-line privacy is addressed with historic 
perspective a year after 9/11.

The history of the privacy issue (14) can be presented in three periods:
1. Up to about 1850 the worlds of HOME and WORK were the same. Socially, for 
almost all people it was the world of the village, sometimes even the world 
of the family.  Technically, the tools used for work were privately owned in 
the family. Economically, at the end of this period, most people were their 
own employers, after having been slaves or in the feudal system.  
Politically, despite the hierarchical structure of the European rulers, 
people listened to a local government in which aldermen dominated.

  In this period people didn't know what privacy was. Apart from a few 
people, most people had no privacy at all. Everybody knew everybody in the 
village.  The barber was the place to go for gossip about the local people. 
Even kings and counts had little privacy, but their position (hence power) 
determined the amount of privacy. 
2. From about 1850 to 1950 the worlds of HOME and WORK were slowly drifting 
apart.
With the upcoming industrialization, for more and more people the world of 
their home and the world of their work were two different worlds. Hence, 
socially speaking, people recognized two social worlds. Some people even 
managed to separate these worlds completely by working in the town while 
still living in the village.  Town life and village life became distinct 
ways of living.  Technically, we see that ownership of tools also diverted 
into enterprise capital and family tools.  Economically, we see more and more 
people becoming dependent of an employer. Also law diverted into Family law 
and Trade law.  Politically, people were confronted with distant governmental 
views, policy and laws. The National government and their election become a 
more important issue than local government.  This drifting apart of HOME 
and WORK resulted into more and more privacy for most people. You could hide 
away in one or the other world. Town life was known for its individualism. 
At the end of this period even the grocer disappeared and we got the 
supermarket.
3. Since 1950 for most people HOME and WORK are two very distinct worlds. And 
most people want it that way. They also see the value of hiding from one or 
the other.
But the more distant government and businesses became, the more they needed 
information about their clients and customers because they did not get this 
information in the old way by simply listening to people. The government 
developed the Census and a law to enforce its effectiveness. Enterprises 
developed actions and gave presents for information.  Fortunately, around 
1950 the computer developed. Both government and business started to 
accumulate data as much as possible. Privacy, for the first time, 
became an issue.  
Now, with the present IT infrastructure in place, we leave a constant trace 
of where we are and what we do, making it even easier for government and 
commerce to collect and accumulate this data for their purposes.
The conclusion must be that all these parties in the present situation have 
their rational interests to give or to withhold personal information. The 
question is NOT how to prevent the loss of privacy. The question is how to 
balance the needs of all parties involved. Only a deep study of competing 
interests and needs for information can give us an answer to the question 
of privacy protection.

Privacy after 9/11
	The attacks of Sept. 11, one year ago, left us with a terrible 
vulnerability; not just human, but of the world's computers, networks, and 
information systems. 
We have seen our privacy compromised in the name of security.  We have seen 
censorship and useful information taken off public Internet sites in the 
name of fighting terrorism.  An atmosphere of suspicion has replaced the 
first few moments of solidarity. 

 Useful innovations have been halted and the PATRIOT act of 2001 made it all 
legal.
Before expanding on this topic, let us see an example of privacy in one 
aspect of our life: the workplace.  There, too, the employer plays a similar 
role as the government in other aspects of our life.  The privacy we have 
learned to cherish is diminishing, not necessarily because of 9/11, but 
now being justified by it.

Online privacy at home and in the workplace 
Web browsers, portals and a multitude of hyperlinks take us to many 
wonderful Web locations where we can buy goods or find information.  Email 
is now considered an essential business and social tool, not far behind the 
telephone in importance to the average person while at home and work.  It 
is safe to say that in this day the average American has the ability to 
access and share information and various resources to a degree unparalleled 
with anytime in the past.  What's not as easily seen is that access to 
the Internet and the World Wide Web comes at a price. As we move through 
the Web our presence can be recorded; the details of what we say divulged.  
Our online preferences are analyzed; the hard drives of our computers looked 
over.  

What's more, all of this can be done without our knowledge. A respectful workplace and home privacy policy is needed. As this paper is going to publication, the Bush administration is issuing a long awaited set of guidelines for protection against terrorist threats in cyberspace detailed further down.
The problem in the workplace Electronic privacy in the work place is fraught with numerous issues.
Increasingly employers are implementing software programs that monitor every facet of an employee's action as they work on their computer and especially tracking what they send, receive and see online.
From the employer's perspective there are at least three major concerns that prompt monitoring of employees (9): - Concern for potential misuse of electronic media, such as for sexual or customer harassment, that could lead to legal problems for the employer - Concern for security as it applies to bringing malicious code into systems via Email and Web interactions - Concern with the abuse of Web and Email use by employees, resulting in lost employee productivity, as well as the clogging of the organization's Internet connections with unnecessary bandwidth use due to large, non-business-related downloads.
When it comes to workplace monitoring, the employer's perspective seems to be that if an employee is not doing something wrong, then why should they worry about being monitored? Of course, the issue is not that simple.
While employees may not be able to provide many reasons for their discomfort with monitoring beyond a vague notion of it violating their privacy, a good argument can be made that oversight places employees in a position where they've lost control over some aspect of their life, specifically
with how their life is viewed by someone else.
Central to employee discomfort is the view that monitoring provides snapshots, from which judgments are made about people that can affect how they are perceived.
With monitoring they have no control over these perceptions (1).
With no ability to affect the perceptions that managers form of their employees,
the employees may lose control over their sense of self-worth. Booker T.
Washington once said, "Few things can help an individual more than to
place responsibility on him, and to let him know that you trust him." We
go in the opposite direction of this concept when we tell employees, that
their every move on the computer keyboard, all of their Email, and any Web
site they are visiting will be monitored, analyzed and evaluated as deemed
appropriate.

How did we get to this, why is it happening, and should this be how we do
business?

Online Privacy on the Job

We've come a long way in terms of how much privacy we actually do have
at work. As mentioned previously, employees historically had few legal
rights in the workplace. In the height of the Industrial Revolution, they
lived in company housing, bought nearly everything at the company store,
worshipped at the company church and sent their children to the company
school. George Pullman, for example, created just such an environment in
Pullman, Illinois in 1880. Pullman, in addition to effectively owning the town, employed a group of inspectors who enforced rigid codes of conduct
by fining citizens of Pullman who misbehaved. Things ran fairly well, at
least by Mr. Pullman's view of things, until 1898 when the Illinois
Supreme Court ruled that you can "own" a company, but not a town (2). In
Pullman's day, debates over privacy were largely nonexistent. You simply
took it for granted that you didn't have any privacy and this was
especially the case if keeping your job depended on giving up what little
privacy you did have, as Mr. Pullman all too well knew. While the level of
invasiveness that existed at the end of the nineteenth century isn't with
us now, there are still many areas where employers have deemed it
appropriate to invade what many of us would consider to be personal and
private.

Three different legal examples can frame where we stand with regard to
workplace privacy and specific considerations associated with electronic
forms of communications in the past 15 years.

First is a court case, O' Connor v. Ortega (3). In 1987, the U.S. Supreme
Court upheld a supervisor's search of a government employee's office, desk,
and files in a public-sector work place. The court stated that an employee
had an expectation of privacy in these areas, but that this expectation
was outweighed by a search that was "reasonable under all circumstances"
(4). O'Connor v. Ortega made clear that the court is willing to give
employers great latitude when it comes to establishing the boundaries of
an employee's privacy in the workplace. This case establishes that the
courts do not view the business environment as offering employees the same
protection for privacy as they expect in their home, or even on the street
for that matter. The provision of a search in the workplace being "
reasonable in all circumstances" provides a workplace supervisor the
latitude to search employees beyond that enjoyed by the police in a search
of someone's home or vehicle.

The Next issue is inherent in the Electronic Communication Privacy Act
of 1986 (ECPA). The ECPA amended Title III of the Omnibus Crime Control
and Safe Streets Act of 1968 (the Wire Tap Statute), which was designed to
protect communications from government surveillance. The law also
regulated private individuals and businesses. The ECPA amended the Wire
Tap Statute to encompass transmissions of electronic data by computer and
the law prohibits both the interception of electronic communications and
access to stored electronic communications. Some commentators argue that
this new law gives employees of private entities a right to privacy in
their e-mail; however, there is support for the proposition that employers
who own the computer system used by their employees have the right to monitor employees' e-mail. (5)

An important consideration surrounding ECPA restrictions on employee
monitoring centers on what is termed the "business exception". The legal
argument behind the "business exception" falls on the premise that a
business is allowed to protect itself from employee misuse of electronic
communications by monitoring employee use of electronic systems. For the
"business exception" to apply, an employer's reason for monitoring would
need to be credible and not excessive. In such circumstances the employer
would need to show that the monitoring of employee communications is
necessary to prevent misconduct in the work environment, needed to assure
the quality of communications with customers, or that the recordings are
to be used for the training of new employees (6).

In August of 1992, Alana Shoars brought a class action suit against Epson America, Inc. (Flanagan et al. v. Epson Am., Inc.) for invasion of privacy (7). In this case Epson, unbeknownst to its employees, was routinely monitoring employee Email. Shoars, the Email administrator for the company, discovered the practice, confronted management about the issue, and was subsequently fired. Ms. Shoars' suit was specifically for invasion of privacy under the California state constitution and statutes.
Both the issue of company ownership of the Email system in question, a consideration that brought this matter under the umbrella of O'Connor v. Ortega, and the "business exception" in the ECPA, weighed against Ms. Shoars. It was determined that the ECPA applies if the business providing Email access is an Internet service provider, but this was not the case with Epson. In addition, there was no California law that addressed the issue of electronic privacy in 1992. Ms. Shoars, and those with her in the case, lost the class action suit.
In the final consideration we find that O'Connor v. Ortega is used to justify an entirely new level of legal invasiveness when the legal system, itself, pushes the boundaries of what is or is not private. Employers are increasingly justifying employee monitoring from the perspective of preventing lawsuits. The number one reason for employer monitoring of any form of employee electronic communications (i.e., Email or Web searching), is the fear of lawsuits. U.S. News & World Report recently found that, "Companies state that they need to protect themselves against lawsuits, and use surveillance software and other tools that allow them to see what their employees are doing. Such software packages are becoming much less expensive and easier to use" (8).
What is the Best Path?
A number of ethical questions arise:
- Is the increase in monitoring simply a case of concern for legal penalties if such monitoring is not conducted? The Privacy Foundation's position is that while there seems to be some grounds for such concern, what tends to drive the use of monitoring software is more its availability and decreasing price, i.e., it's not that it's needed but that it's easy to do cheaply (15).
- From an organizational perspective there's the question of whether the benefits outweigh the related risks. Yes, businesses monitoring employees are more likely to catch the occasional sexual harasser, bandwidth hog or the stray Web crawler, but are these limited situations worth the resulting effect on morale and the feeling of hostility towards management? - If monitoring is to occur, to what extent should the employee be notified? This is actually related to the last question. If the focus of the surveillance system is to prevent vice (and to catch an employee in the course of doing something wrong), then it seems reasonable that employees be given sufficient warning that they're being monitored. In fact, most employers provide cursory warnings, often included somewhere in employee handbooks. Employees frequently overlook these warnings and, when pointed out, come as a surprise to them. Conclusion Employers have a legitimate concern regarding the proper use of electronic communications resources. Such concerns appear to be easily resolved by the use of inexpensive software packages that allow for the routine monitoring of all employees. While the initial implementation of such monitoring may well be inexpensive, the possible long-term costs may outweigh the potential benefits. This is especially true when it is understood that most of the problems allegedly solved by monitoring can be solved with existing software programs (rather than monitoring programs) or by consistent enforcement of organization policies that address issues of primary concern to employers, such as sexual harassment. Policies that emphasize trust in employees and foster a positive work environment are far more likely to encourage the type of loyalty and commitment that companies desire from their employers. Such qualities, unlike software, cannot be bought. One could also add a possible counter theoretical point that a network-connected computer can make all kinds of connections without the user being aware. We tend to act as if the only sites to which our computer will connect are the ones that we choose by typing in a URL or pressing the SEND button on a mail program. But software can make connections without our even knowing. That's the same principle that underlies Melissa-style viruses.

Nine-eleven again

Not only does electronic infrastructure play a greater role in our workplace and society and is critical to meeting our information needs, we now realize that it is also part of the communications infrastructure used by those who seek to destroy our life and society. Prior to 9/11 most police organizations in the United States were focused on capture of crime perpetrators. After crime evidence was gathered, suspects were tracked for eventual arrest. A significant amount of evidence gathering happened after an arrest. Crime labs and crime scene investigations were focused on post event evidence collection and analysis. Nine-eleven changed the ballgame for domestic police work. The criminals doing the most horrible crimes, people who intend to die during the commission of their crime, commit terrorist acts that can affect thousands of people at random. Catching them and punishing them is of no use. What is now demanded is PREVENTION. To prevent these attacks, they have to be foreseen. Conceivably there can be two types of attacks on information networks: the first uses the network itself to cause damage, such as critical water or fuel systems disrupted, or industrial processes sent out of control. Such attacks are hard to carry out, but are of a greater risk and warrant protection, such as taking key systems off of public networks (12). However, many critical systems remain connected to the Internet. Obviously, total isolation is not a solution. The second and more likely attack is disruption of an information network coupled with a more conventional method to slow down effective responses to an emergency. For any system on a network to be secure, all systems must be secured - doing that through the individual attention given by their users or administrators to setting proper access rights, installing updates to buggy software, checking logs for suspicious behavior, and so on (10). Some businesses have taken up this challenge as they consider computer security a major issue after having encountered a serious security incident. Others may be over confident. But there is a consensus that we are moving far too slowly in this security endeavor. Network intrusions have become too common; the quantity is noticeable higher. Security can be enhanced also by producing more robust products with fewer bugs. The Office for Homeland Security (OHS) released a large report on Sept. 18 (http://www.securecyberspace.gov) with guidelines for computer and network security. It contained similar generic security guidelines adopted by the European Union and the Organization for Economic Co-operation and Development (OECD). Mainly it suggested greater use of firewall software and anti-virus programs to protect from hackers. It recommended corporations establish security teams to review vulnerabilities and correct weaknesses by investing in new software and mainframe systems. It advised State and local governments to expand law enforcement efforts to tackle cybercrime. An information clearinghouse where private organizations can report attacks, ask for advice, and share best practices may be found in the Network Operations Center announced by OHS. A data retention law, like many passed in numerous European countries, may be helpful for the US in order to catch culprits. The accumulation of so much information however, covering every transaction by every network user, may tempt both governments and independent criminals to break in and mine the data for malicious purposes. Also the existence of a distributed database may lead to a much-feared form of social control especially as much of the second half of the 20th Century was spent building up laws to protect individuals and groups against the collection of information, but in the wake of Sept. 11 the pendulum is swinging back (11). Unfortunately, many countries around the world are tightening their surveillance of networks of fear of terrorism. Proponents present the new laws as a way to maintain balance - to let law enforcement do its traditional job in the face of challenges from new technologies. The Communications Assistance for Law Enforcement Act (CALEA), passed in 1994, facilitated wiretapping in digital phone networks, but stopped short of allowing taps of Internet communications. The FBI tried to institute the practice informally through the use of a device called Carnivore. Now, after 9/11, the FBI has been granted this right in the PATRIOT act of 2001. The PATRIOT act allows police to do as much snooping and tracking online as they were doing before, but with less court oversight. Reports of censorship have appeared while some useful information for public interest has been removed from governmental sites for fear of terrorism. This atmosphere of suspicion stifles the growth of the Internet and high-speed networking. For example, while current wireless security is unsatisfactory, the current environment of fear stymies useful innovation. It seems that governments in general are cautious of new technologies. Simon Davis in the Communications of the ACM, decries the "arbitrary distinction between conventional technologies (the motor vehicle, telephone, and fax) that enjoy the protection of technological neutrality, and new technologies" that governments feel the need to penetrate and control. It is likely that buying sensors for biological agents, securing nuclear power plants, and guarding reservoirs and other public works would bring more security than spying and searching databases. Other threats to privacy include: increased data sharing, increased profiling and identification, international initiatives in harmonizing surveillance, audio bugging, and video surveillance. Peer-to-peer phenomena in 2000 and 2001 offered a source of valuable innovations in computer applications: distributed file systems, powerful search capabilities, flexible collaboration systems, and peer journalism. Unfortunately, fear from governmental reprisal may keep many from realizing the promise of putting power on the end-users' computers and fostering communities.

Conclusion

The new US guidelines have not gone far enough to make us feel safe or safeguard privacy on our computers and networks. Stronger laws may be needed for data retention to secure us from terrorism. However, checks and balances are required, as well, so that our privacy will be maintained as much as possible, and so that we won't go back to draconian times of the not so very far past. Security may be enhanced by more openness. Creative security researchers are pursuing distributed techniques for sharing information about anomalies (potential break-ins, viruses, and denials of service) so that cooperating organizations can react to them more quickly (11). Hopefully, 9/11 will help companies and governments realize that it's through cooperation and trust that supportive communities are built. Safety will ensue, and privacy will be respected and possibly given up freely, if necessary.

REFERENCES

1. Rosen, J. (2000). The Unwanted Gaze: The Destruction of Privacy in America. New York: Random House, Inc, pp 161. 2. Alderman. E. & Kennedy, C. (1995). The Right to Privacy. New York: Alfred A. Knopf, pp 313. 3. Not attributed. (December, 1999). Summary of Federal Laws: Electronic Communications Privacy Act of 1986 (ECPA). Retrieved August 15, 2001 from the World Wide Web: http://counsel.cua.edu/FEDLAW/Ecpa.htm 4. Lockhard, J, Griffin, G. (1999). Monitoring Employee E-mail, Voice Mail and Computer Files Without Violating Employees' Privacy Rights. Retrieved August 16, 2001, from the World Wide Web: http://www.clm.com/pubs/pub-914447_1.html 5. Alderman. E. & Kennedy, C., pp. 310 and 384 6. Alderman. E. & Kennedy, C., pp. 295 7. Hawkins, D. (2001, August 13). Lawsuits Spur Rise In Employer Monitoring. US News & World Report. Retrieved August 15, 2001 from the World Wide Web: www.usnews.com/usnews/issue/010813/work/workplace/htm 8. Not attributed. (2001, August). "2001 AMA Survey Workplace Monitoring & Surveillance: Policies and Practices". The American Management Association. Retrieved August 15, 2001 from the World Wide Web: http://www.amanet.org/research/pdfs/emsfu_short.pdf 9. Nugent, J. On-line privacy, unpublished paper. 10. Oram, A. "Cyber Hygiene, Not Cyber Fortress Protects Our Networks." , The American Reporter 11. Oram, A. (September 16, 2002), The American Reporter 12. Schneier, B. "Cyber-security: Uncle Sam Needs You", 13. Schneier, B. (September 2002) The Atlantic Monthly, ) 14. Van Reeken, A. (Oct. 2000) EEI21 15. Not attributed. (2001, August), American Management Association